Re: DHCPv6lite, RA and WKA

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 19-nov-03, at 12:27, Ralph Droms wrote:

> "DHCP storm" has never been an issue for DHCPv4, where the problem is
> potentially more serious because DHCPv4 is usually used for address
> assignment.  What evidence do we have the "DHCP storm" will suddenly 
> become
> a problem in DHCPv6?

I find it surprising that this problem has never come up in IPv4. In 
IPv6 it could potentially be worse as hosts already have an address so 
the DHCP traffic can get in the way of real traffic, unlike with IPv4.

>> For this reason, and because running the DHCP(lite) service results 
>> in additional operational complexity and security risks on both the 
>> servers and clients, I feel very strongly that we need a non-DHCP 
>> mechanism for determining DNS resolver addresses that can be used 
>> together with RFC 2462 IPv6 address configuration.

> I think we should reserve judgment on the additional operational 
> complexity
> associated with stateless DHCPv6 until we actually have some 
> operational
> experience.

Disagree. We need DNS configuration in IPv6 yesterday. Waiting for 
DHCPv6lite specs, then implementations and finally operational 
experience and THEN find out that there is indeed a problem and start 
work on other mechanisms will take too much time.

Besides, the question isn't whether DHCP can function well. I'm sure it 
can. The question is whether people who have otherwise no need for DHCP 
should be made to use it by not making alternative ways to configure 
DNS resolver addresses available.

> Based on the existing implementations of stateless DHCPv6, I
> don't see where the additional operational complexity will come from.

As long as everything works there is just the additinal delay of having 
to wait for DHCP to complete. This should be pretty fast in most 
circumstances. But if it _doesn't_ work then debugging is going to be 
very inconvenient because there are now two protocols involved in 
configuring hosts when they come online. And any open ports add to the 
security risks.

>> What I don't understand is the fear of well-known addresses. This 
>> subject seems to have an extensive history, but I can't seem to find 
>> the actual arguments, as the discussion has long since deteriorated 
>> to kindergarten level: "Would you want 200 million devices to be 
>> shipped with the DNS of your organization burned into ROM?"

> If well-known addresses are such a good idea, why haven't we adopted 
> them
> for IPv4?

Because IPv4 doesn't have a mechanism similar to RFC 2462 for address 
discovery/creation. So DNS configuration has always been something that 
went along with address discovery (= manual configuration, PPP and 
DHCP).

> Summarizing from below, I agree that we can specify the use of the 'O' 
> bit
> to control the use of stateless DHCPv6 just as the 'M' bit controls 
> the use
> of DHCPv6 for address assignment.  I still disagree that the supposed
> shortcomings to stateless DHCPv6 given in the first paragraph are 
> sufficient
> to warrant the use of well known addresses or the development of an
> extension to RAs.

But do you agree that the fact that many people don't want to run 
DHCPv6 is sufficient reason?

Iljitsch van Beijnum

#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.